[LTA-ITCD] LEAD /PRINCIPAL CYBER ENGINEER (SOC PRODUCT LEAD)

The SOC Product Lead is the strategic owner of the Cybersecurity Operations Centre's detection and monitoring capabilities, treating the SOC as a continuously evolving product rather than a static operational function. This role bridges business risk, stakeholder demands, compliance obligations, and the threat landscape — translating them into a prioritised roadmap that the Tech Lead and analyst teams execute against. The Product Lead does not build detection rules; they ensure the right capabilities are built, in the right order, for the right outcomes.​

SOC Capability Roadmap & Backlog Ownership

• Define, own, and continuously refine the SOC capability roadmap — encompassing detection use cases, automation workflows, tooling enhancements, and analyst enablement initiatives
• Maintain a prioritised product backlog that balances immediate operational risk reduction with longer-term platform maturity goals
• Write clear user stories and acceptance criteria for detection use cases, SOAR playbooks, and dashboard requirements — in a format the Tech Lead and engineering team can act on
• Facilitate sprint planning, backlog refinement, and sprint review ceremonies in collaboration with the Tech Lead and Design Lead
• Track and report delivery velocity, sprint outcomes, and roadmap progress to SOC management and security leadership​

Stakeholder Management & Requirements Gathering

• Act as the primary interface between the SOC and internal stakeholders
• Conduct regular stakeholder engagement sessions to surface new monitoring requirements, regulatory obligations, and threat concerns
• Translate ambiguous business risk statements into concrete, actionable SOC capability requirements
• Manage stakeholder expectations on delivery timelines, scope trade-offs, and prioritisation decisions
• Represent the SOC's capability roadmap in governance forums, risk committees, and security steering group meetings​

Threat-Informed Prioritisation

• Maintain a continuous threat landscape assessment — incorporating inputs from threat intelligence feeds, red team findings, incident post-mortems, industry ISACs, and regulatory advisories
• Prioritise detection use case development based on threat actor relevance, asset criticality, and exploitability — mapped to the MITRE ATT&CK framework
• Own the detection coverage gap register, working with the Tech Lead to close high-priority gaps within agreed sprint cycles
• Ensure new and emerging threat vectors (e.g., AI-assisted attacks, supply chain compromise, cloud-native threats) are reflected in the backlog ahead of operational need​

Tool & Vendor Strategy

• Own the SOC technology portfolio strategy — including SIEM, SOAR, EDR, threat intelligence platforms, and supporting integrations
• Lead vendor evaluations, RFP processes, and proof-of-concept reviews in collaboration with the Tech Lead, providing business and capability justifications for tooling decisions
• Manage vendor relationships, contract renewals, and SLA oversight for all SOC platform providers
• Track the market for emerging security technologies and assess their fit against the SOC's capability roadmap
• Own the SOC technology budget — forecasting spend, managing renewals, and justifying investment cases to leadership​

Metrics, Reporting & Continuous Improvement

• Define and own the SOC's key performance indicators (KPIs) and operational metrics — including MTTD, MTTR, alert fidelity, use case coverage, and automation rates
• Develop and maintain executive-facing dashboards and reports that communicate SOC effectiveness in business risk terms, not purely technical metrics
• Lead regular operational reviews — identifying trends, persistent gaps, and improvement opportunities across people, process, and technology dimensions
• Conduct use case lifecycle reviews to retire outdated rules, refresh low-fidelity detections, and ensure the detection library remains current and relevant
• Drive post-incident reviews from a product improvement perspective — ensuring lessons learned are converted into backlog items and delivered

Compliance & Governance Alignment

• Ensure SOC monitoring coverage aligns with applicable regulatory frameworks and compliance requirements (e.g., MAS TRM, ISO 27001, NIST CSF, local IM8 guidelines where applicable)
• Maintain traceability between compliance control requirements and deployed detection use cases
• Support internal and external audits by providing evidence of SOC capability coverage and operational effectiveness
• Coordinate with the risk and compliance function to ensure the SOC's roadmap reflects the organisation's broader risk appetite and control objectives​

• Knowledge in Computer Science, Computer Engineering, Data Science, or related technical discipline

• Deep understanding of security monitoring and detection operations — including alert triage workflows, incident response lifecycles, and T1/T2/T3 analyst structures

• Working knowledge of the MITRE ATT&CK framework, common attack vectors, threat actor TTPs, and emerging threat categories

• Functional understanding of SIEM platforms (preferably Microsoft Sentinel), SOAR, EDR and threat intelligence platforms

• Ability to define meaningful SOC KPIs, build reporting frameworks, and communicate operational performance to both technical and non-technical audiences

• Exposure to cloud security monitoring concepts across Azure and AWS

• Experience operating within a regulated financial services, critical infrastructure, or government SOC environment

• At least 5 years in cybersecurity with at least 2 years in a product management, SOC management, or senior security operations role with strategic responsibilities

• Demonstrated experience owning a security capability roadmap or technology portfolio, including vendor management and budget accountability

• Track record of translating business and risk requirements into security monitoring outcomes

• Exceptional communication skills

• Strategic thinker who can balance long-term capability building with short-term operational firefighting

• Data-driven decision-making mindset with the ability to challenge assumptions using evidence from SOC metrics and threat intelligence

As part of the shortlisting process for the role, you may be required to complete a medical declaration and / or undergo further assessment.